--- NATIONAL INFRASTRUCTURE PROTECTION CENTER �W32.Bugbear@mm or� I-Worm.Tanatos� NIPC ADVISORY 02-008 October 3, 2002
The National Infrastructure Protection Center (NIPC) is issuing this advisory to heighten the awareness of an e-mail-borne worm known as W32.Bugbear or I-Worm.Tanatos.� This network-aware worm, which is being circulated as an e-mail attachment, appears to target machines running Microsoft software.� The worm is attached to e-mails with a wide variety of subject lines such as "bad news," "Membership Confirmation," "Market Update Report," and "Your Gift," and appears to use randomly generated names to avoid detection by anti-virus software, as well as multiple file extensions to disguise the fact that it is an executable file. W32/Bugbear-A tries to copy itself to all types of shared network resources.� The anti-virus industry has reported that this worm has infected over 22,000 systems in the past 24 hours and is continuing to grow.�� Due to its keystroke logging and backdoor capabilities, the worm is capable of intercepting victim�s Internet activity, for example, credit-card information, banking information, usernames and passwords.� The NIPC is urging all infected owners to change logins and passwords after the infection has been reported and removed.�� System administrators should be aware that attackers could exploit these vulnerabilities to gain remote access which could enable the attacker to take any action desired, such as installing malicious code; running programs; and, reconfiguring, adding, changing, or deleting files. � Description: The Bugbear worm arrives in victims' in-boxes in the form of a random e-mail. The only constant signature of the worm has been the size of the attachment, which to date has been 50,688 bytes.� The virus installs a Trojan horse component called �PWS-Hooker� on infected machines.� The Trojan program searches for and tries to disable a number of common Windows processes, and popular anti-virus and firewall software.� The actual infected file arrives as an attachment. The subject line, name of the attachment, and text in the body of the message can vary; the attachment name typically has a double extension, such as �.doc.pif.��� The worm may also attempt to determine the presence of an Apache 1.3.26 web server and relay this information to an external email address; it continuously looks for and terminates processes by listening to port 36794/tcp and port 137/udp.� When a remote system is restarted, the worm's file gets control and infects a system. The worm exploits the MIME and IFRAME vulnerability in versions of Microsoft Internet Explorer 5.01 and 5.5.� However, users running Internet Explorer 5.01 service pack 2 are not affected by this vulnerability. These vulnerabilities may allow an executable attachment to run automatically, even if the user does not double-click on the attachment.� An option in Microsoft Internet Explorer executive preview pane allows users to view e-mail without clicking on the email.� Users can delete the e-mail before viewing in the preview pane by turning the option off until appropriate patches have been applied. Microsoft has issued a patch to secure against these attacks. The patch can be downloaded from Microsoft Security Bulletin MS01-027: http://www.microsoft.com/technet/treeview/default.asp?url=/technet/secur ity/bulletin/ms01-27.asp (This patch was released to fix a number of vulnerabilities in Microsoft's software, including the ones exploited by this worm.) Several anti-virus software vendors have updated their signature files to recognize this worm in an attempt to stop the infection upon contact.� In some cases, anti-virus software will remove an active infection from your system. Additional information obtained at: � Central Command http://www.centralcommand.com �� �McAfee http://www.nai.com Symantec http://symatec.com Sophos http://sophos.com Recommendation: The NIPC strongly urges the community to consider applying patches from Microsoft to secure against these attacks.�� All versions of Windows are vulnerable to this worm's ability to arrive via open file sharing. Users of Macintosh, Linux, and Unix are not at risk.� Users of Internet �Explorer 6 should be safe from the e-mail portion of this worm. The NIPC encourages recipients of this advisory to report computer intrusions to their local FBI office (http://www.fbi.gov/contact/fo/fo.htm) and other appropriate authorities.� Recipients may report incidents online to http://www.nipc.gov/incident/cirr.htm.� The NIPC Watch and Warning Unit can be reached at (202) 323-3204/3205/3206 or [EMAIL PROTECTED] --- IWS INFOCON Mailing List @ IWS - The Information Warfare Site http://www.iwar.org.uk
